Thanks, Björn,
I'll have to investigate.
With Regards
Stefan Paetow
Consultant, Trust and Identity
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: [log in to unmask]
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
On 21/06/2018, 15:15, "Abt Björn Erik (PSI)" <[log in to unmask]> wrote:
Hi Stefan,
on the client:
moonshot-gss-eap.x86_64 1.0.1-2.el7.centos @Moonshot
moonshot-ui.x86_64 1.0.5-3.el7.centos @Moonshot
libcurl-openssl.x86_64 7.28.1-1.1 @Moonshot
openssl.x86_64 1:1.0.2k-8.el7 @anaconda/7.4
openssl-libs.x86_64 1:1.0.2k-8.el7 @anaconda/7.4
xmlsec1-openssl.x86_64 1.2.20-7.el7_4 @rhel7
and on the server the same...
Cheers Björn
__________________________________________
Paul Scherrer Institut
Björn Erik Abt
IT Security Officer
WHGA/U136
CH-5232 Villigen PSI
Telefon: +41 56 310 40 17
E-Mail: [log in to unmask]
-----Original Message-----
From: Stefan Paetow [mailto:[log in to unmask]]
Sent: Donnerstag, 21. Juni 2018 16:07
To: Abt Björn Erik (PSI); [log in to unmask]
Subject: Re: A token had an invalid Message Integrity Check (MIC)
Ok,
Can you double-check that the version of OpenSSL is the latest on both the client and the RP Proxy? Also, which version of the moonshot-ui and moonshot-gss-eap packages are installed on each?
I would check that moonshot-ui is at 1.0.5 (we've found an issue with v1.0.6 on CentOS 6).
With Regards
Stefan Paetow
Consultant, Trust and Identity
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: [log in to unmask]
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
On 21/06/2018, 15:01, "GOV-UK-REQUESTS on behalf of Abt Björn Erik (PSI)" <[log in to unmask] on behalf of [log in to unmask]> wrote:
Dear Stefan,
no Problem at all. I use the "Red Hat Enterprise Linux Server release 7.4 (Maipo)" OS.
And I get exactly the same message with gss-client and gss-server...
On the client I issue: gss-client -mech {1.3.6.1.5.5.15.1.1.18} moonshot01.psi.ch [log in to unmask] foo
Sending init_sec_context token (size=45)...continue needed...
Sending init_sec_context token (size=43)...continue needed...
Sending init_sec_context token (size=320)...continue needed...
Sending init_sec_context token (size=29)...continue needed...
Sending init_sec_context token (size=29)...continue needed...
Sending init_sec_context token (size=156)...continue needed...
Sending init_sec_context token (size=94)...continue needed...
Sending init_sec_context token (size=126)...continue needed...
Sending init_sec_context token (size=29)...continue needed...
Sending init_sec_context token (size=47)...continue needed...
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: Error token is malformed or corrupt
And on the server I issue: gss-server -verbose [log in to unmask]
starting...
Received token (size=45):
60 2b 06 09 2b 06 01 05 05 0f 01 01 12 06 01 00
00 00 02 00 00 00 16 68 6f 73 74 2f 6d 6f 6f 6e
73 68 6f 74 30 31 2e 70 73 69 2e 63 68
Sending accept_sec_context token (size=58):
60 38 06 09 2b 06 01 05 05 0f 01 01 12 06 02 00
00 00 03 00 00 00 16 68 6f 73 74 2f 6d 6f 6f 6e
73 68 6f 74 30 31 2e 70 73 69 2e 63 68 80 00 00
05 00 00 00 05 01 00 00 05 01
continue needed...
Received token (size=43):
60 29 06 09 2b 06 01 05 05 0f 01 01 12 06 01 80
00 00 04 00 00 00 14 02 00 00 14 01 40 55 4d 42
52 45 4c 4c 41 49 44 2e 4f 52 47
Sending accept_sec_context token (size=29):
60 1b 06 09 2b 06 01 05 05 0f 01 01 12 06 02 80
00 00 05 00 00 00 06 01 01 00 06 15 20
continue needed...
Received token (size=320):
60 82 01 3c 06 09 2b 06 01 05 05 0f 01 01 12 06
01 80 00 00 04 00 00 01 27 02 01 01 27 15 00 16
03 01 01 1c 01 00 01 18 03 03 d0 62 93 06 d8 df
bf b1 23 df 34 41 6d 6f 71 e8 87 81 ae e2 bc 30
4d 21 9d 72 51 17 31 65 bd 3a 00 00 ac c0 30 c0
2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00
9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00
36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a c0
26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f c0
2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 00
9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 00
30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 00
42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c 00
3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 00
10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 c0
0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b 00
04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 00
18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 06
02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03
01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 01
Sending accept_sec_context token (size=1029):
60 82 04 01 06 09 2b 06 01 05 05 0f 01 01 12 06
02 80 00 00 05 00 00 03 ec 01 02 03 ec 15 c0 00
00 0a d7 16 03 03 00 5e 02 00 00 5a 03 03 a1 f7
1d af ad c7 5f dc 40 f4 e4 92 6f c8 a5 a3 ad 79
b4 49 ca 60 55 3a 40 26 66 82 a7 e0 d8 d3 20 f4
cf ca ab f4 91 1b dd 52 a0 01 07 7e 9f 2e 5b fd
24 5c 82 8c 73 e5 b9 4c ea 69 05 00 1e 11 51 c0
30 00 00 12 ff 01 00 01 00 00 0b 00 04 03 00 01
02 00 0f 00 01 01 16 03 03 09 14 0b 00 09 10 00
09 0d 00 03 f8 30 82 03 f4 30 82 02 dc a0 03 02
01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01
01 0b 05 00 30 81 a1 31 0b 30 09 06 03 55 04 06
13 02 43 48 31 14 30 12 06 03 55 04 08 0c 0b 53
77 69 74 7a 65 72 6c 61 6e 64 31 15 30 13 06 03
55 04 07 0c 0c 56 69 6c 6c 69 67 65 6e 20 50 53
49 31 13 30 11 06 03 55 04 0a 0c 0a 75 6d 62 72
65 6c 6c 61 49 44 31 25 30 23 06 09 2a 86 48 86
f7 0d 01 09 01 16 16 63 6f 6e 74 61 63 74 40 75
6d 62 72 65 6c 6c 61 69 64 2e 6f 72 67 31 29 30
27 06 03 55 04 03 0c 20 75 6d 62 72 65 6c 6c 61
49 44 20 43 65 72 74 69 66 69 63 61 74 65 20 41
75 74 68 6f 72 69 74 79 30 1e 17 0d 31 36 31 31
31 38 30 39 32 31 32 38 5a 17 0d 31 38 31 31 31
38 30 39 32 31 32 38 5a 30 81 87 31 0b 30 09 06
03 55 04 06 13 02 43 48 31 14 30 12 06 03 55 04
08 0c 0b 53 77 69 74 7a 65 72 6c 61 6e 64 31 13
30 11 06 03 55 04 0a 0c 0a 75 6d 62 72 65 6c 6c
61 49 44 31 26 30 24 06 03 55 04 03 0c 1d 75 6d
62 72 65 6c 6c 61 49 44 20 53 65 72 76 65 72 20
43 65 72 74 69 66 69 63 61 74 65 31 25 30 23 06
09 2a 86 48 86 f7 0d 01 09 01 16 16 63 6f 6e 74
61 63 74 40 75 6d 62 72 65 6c 6c 61 69 64 2e 6f
72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d
01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82
01 01 00 d4 40 ec ea dd 74 ac 29 6f 75 a1 77 30
30 4c b3 9f 08 9e 3a 89 eb b0 4e 8e 1d 1d e3 d7
6e 66 74 75 56 07 16 a2 5a a1 25 d0 17 23 72 13
13 a6 da cf 36 27 04 e7 ef 3c 13 e1 80 0c 3d 88
ae 09 48 be 7f 19 46 25 f3 39 f3 83 51 72 5e 32
77 03 c1 ce 0b fb 99 43 08 0e 00 f0 e0 b0 5c 4e
29 35 47 be ee f3 cc 23 cc 06 f7 8b ca fd cf 1f
e5 d4 97 75 b5 4e 26 ae c2 2d 2e 14 86 4d d5 b9
9c 88 18 e7 d7 45 67 e0 95 16 cb ff db 6c ef 26
ae 6f a8 a8 d0 0a 2f 20 51 67 e5 b5 66 b3 6a 01
c5 b8 d6 3a 0a 8a bb dc 80 4f c5 4b fc e3 79 c9
0d f4 0d 24 0d 8a 24 74 99 5c 44 92 7e 5a 6f b7
3d 61 3f 45 71 d2 8c de 45 04 57 61 44 b7 a6 ea
fe 2c 25 f1 be bc b4 a1 c7 63 c6 3f 67 a5 8d 0b
0d 33 8f 8a f1 98 d6 c6 48 06 67 df 13 0d f8 9f
5f c7 e1 3e 8f f4 2d 53 75 60 04 59 10 50 e4 c5
60 21 91 02 03 01 00 01 a3 4f 30 4d 30 13 06 03
55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03
01 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29
a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65
78 61 6d 70 6c 65 2e 63 6f 6d 2f 65 78 61 6d 70
6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 03 82 01 01 00 2d 50 76
8a 6c b6 65 bd f6 e7 32 dd c2 ab b9 c7 31 25 7b
48 73 b8 c4 99 c7 46 7e 29 55 1c c0 88 d7 3a 8f
54 67 1e c5 b4 b7 a9 78 cb 5b ac 5b 1d e9 de f6
cf 85 92 0c dc 73 f2 65 97 1d 26 81 5f ea a3 93
21 c4 fe 01 de 9b 8a b4 43 f5 49 b8 6e ae ef a8
ec 84 05 32 bf d8 ab 27 5d 4b f5 65 0d bb ee 92
5e e5 2c 00 cc dc 8f 7b ad f5 21 99 08 a4 5a e4
1d 0d b2 99 39
continue needed...
Received token (size=29):
60 1b 06 09 2b 06 01 05 05 0f 01 01 12 06 01 80
00 00 04 00 00 00 06 02 02 00 06 15 00
Sending accept_sec_context token (size=1029):
60 82 04 01 06 09 2b 06 01 05 05 0f 01 01 12 06
02 80 00 00 05 00 00 03 ec 01 03 03 ec 15 c0 00
00 0a d7 a4 ae 0a ce 41 91 c8 4f ff 18 36 f1 26
17 ad 3e 8e 56 b2 4f d7 72 50 c5 a7 fb 01 e8 38
df 25 22 fe 18 e3 3d 40 55 bd 6e 09 a8 2e 38 0a
74 e7 9f a2 4e f3 fb c2 7c 21 de 7d 7b 59 1e 6e
da 3d 04 3b 43 bc 35 40 df d9 b0 a4 4e 75 a3 ab
b7 d4 ab e0 c9 c1 1a 85 b7 6c 20 43 72 ba 22 61
88 4c 80 e0 f4 4d 18 9b 99 f8 53 1f 39 fe db fd
8a a3 64 0c 14 36 75 94 bf 5e 83 84 30 e0 59 8e
86 fb 58 8b d7 20 fe 16 4b 81 e7 00 05 0f 30 82
05 0b 30 82 03 f3 a0 03 02 01 02 02 09 00 d3 c4
34 67 60 92 00 65 30 0d 06 09 2a 86 48 86 f7 0d
01 01 0b 05 00 30 81 a1 31 0b 30 09 06 03 55 04
06 13 02 43 48 31 14 30 12 06 03 55 04 08 0c 0b
53 77 69 74 7a 65 72 6c 61 6e 64 31 15 30 13 06
03 55 04 07 0c 0c 56 69 6c 6c 69 67 65 6e 20 50
53 49 31 13 30 11 06 03 55 04 0a 0c 0a 75 6d 62
72 65 6c 6c 61 49 44 31 25 30 23 06 09 2a 86 48
86 f7 0d 01 09 01 16 16 63 6f 6e 74 61 63 74 40
75 6d 62 72 65 6c 6c 61 69 64 2e 6f 72 67 31 29
30 27 06 03 55 04 03 0c 20 75 6d 62 72 65 6c 6c
61 49 44 20 43 65 72 74 69 66 69 63 61 74 65 20
41 75 74 68 6f 72 69 74 79 30 1e 17 0d 31 36 31
31 31 38 30 39 32 31 32 38 5a 17 0d 31 38 31 31
31 38 30 39 32 31 32 38 5a 30 81 a1 31 0b 30 09
06 03 55 04 06 13 02 43 48 31 14 30 12 06 03 55
04 08 0c 0b 53 77 69 74 7a 65 72 6c 61 6e 64 31
15 30 13 06 03 55 04 07 0c 0c 56 69 6c 6c 69 67
65 6e 20 50 53 49 31 13 30 11 06 03 55 04 0a 0c
0a 75 6d 62 72 65 6c 6c 61 49 44 31 25 30 23 06
09 2a 86 48 86 f7 0d 01 09 01 16 16 63 6f 6e 74
61 63 74 40 75 6d 62 72 65 6c 6c 61 69 64 2e 6f
72 67 31 29 30 27 06 03 55 04 03 0c 20 75 6d 62
72 65 6c 6c 61 49 44 20 43 65 72 74 69 66 69 63
61 74 65 20 41 75 74 68 6f 72 69 74 79 30 82 01
22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00
03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 b1 25
99 5d a0 b5 6a c4 59 63 ae d2 dd 4c 22 30 de 01
87 d9 21 45 80 47 da d0 a1 a4 54 97 e5 59 de 8b
7b 1e d4 c6 0f 56 5c 5c 25 de a9 19 c8 96 a0 a1
74 21 4b b7 11 00 59 02 d5 bb 13 36 31 ae 80 03
f7 99 69 00 f3 a4 91 2d 63 6a de 59 a0 fc ad c7
0c 7a 95 37 20 ad f8 2d f7 fe 84 af 8c 88 11 46
4a 2f 90 e6 72 90 2c b8 58 ca 5b e5 e4 81 7b 91
18 49 9d 74 a3 9e 19 42 8b 5f 11 30 e8 de 6c 74
fa c6 bc 7e c9 67 2f b3 16 47 20 2d 42 e6 ed 30
b4 a6 54 ce d8 b3 b1 95 02 53 a4 01 eb f7 27 be
ac fd d8 40 9d 62 75 42 e9 1c 0b 1c 72 76 4a d1
24 b7 d5 85 fc ad aa f8 2a dd 15 0c 9f 64 67 c9
63 ea 64 cb 8f 08 b5 99 49 ad d7 71 ec af f6 0e
f9 2d f8 2a 1c a0 b2 e6 c8 30 93 fb ee 9f e1 7b
fa 71 8a 27 16 13 72 ae a1 4c 8c f1 77 ce 7c 49
0d f7 78 5e 65 89 b8 bb 6e 4a 3d 76 a8 ed 02 03
01 00 01 a3 82 01 42 30 82 01 3e 30 1d 06 03 55
1d 0e 04 16 04 14 11 c9 2b 79 a9 ca 64 25 88 df
ee e6 9f e1 10 83 0b c5 5f e8 30 81 d6 06 03 55
1d 23 04 81 ce 30 81 cb 80 14 11 c9 2b 79 a9 ca
64 25 88 df ee e6 9f e1 10 83 0b c5 5f e8 a1 81
a7 a4 81 a4 30 81 a1 31 0b 30 09 06 03 55 04 06
13 02 43 48 31 14 30 12 06 03 55 04 08 0c 0b 53
77 69 74 7a 65 72 6c 61 6e 64 31 15 30 13 06 03
55 04 07 0c 0c 56 69 6c 6c 69 67 65 6e 20 50 53
49 31 13 30 11 06 03 55 04 0a 0c 0a 75 6d 62 72
65 6c 6c 61 49
continue needed...
Received token (size=29):
60 1b 06 09 2b 06 01 05 05 0f 01 01 12 06 01 80
00 00 04 00 00 00 06 02 03 00 06 15 00
Sending accept_sec_context token (size=822):
60 82 03 32 06 09 2b 06 01 05 05 0f 01 01 12 06
02 80 00 00 05 00 00 03 1d 01 04 03 1d 15 80 00
00 0a d7 44 31 25 30 23 06 09 2a 86 48 86 f7 0d
01 09 01 16 16 63 6f 6e 74 61 63 74 40 75 6d 62
72 65 6c 6c 61 69 64 2e 6f 72 67 31 29 30 27 06
03 55 04 03 0c 20 75 6d 62 72 65 6c 6c 61 49 44
20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74
68 6f 72 69 74 79 82 09 00 d3 c4 34 67 60 92 00
65 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30
36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27
86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61
6d 70 6c 65 2e 63 6f 6d 2f 65 78 61 6d 70 6c 65
5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7
0d 01 01 0b 05 00 03 82 01 01 00 31 25 e9 fe f1
8c 41 d7 b4 a8 e8 3a 78 27 5f 91 37 66 d3 a1 cb
7e d4 03 fc c1 18 dc 64 bf a1 72 ee e1 b2 f5 e4
01 f2 ca b1 fc 23 ea 25 b8 96 1f 86 19 77 be 6e
e7 5f 18 cc f1 68 b2 61 6d fc ea 86 c6 d3 4b b8
ae 8f f9 ab 71 68 ad 91 6f bc ed c2 85 45 37 bd
1b ea 1e f3 1b 2d 00 17 18 f6 e7 25 54 bd 71 50
0b 01 00 42 aa 56 00 64 a3 bb 91 96 3d be ff ad
81 ef 25 9c ec a7 bc 15 02 f8 38 fa d2 ff e2 29
6d f6 fe 81 ca 31 7c 8d 22 a1 93 36 0b fc 6a 4b
37 c4 7e f9 73 3d bc 3b a0 85 7d 92 f5 d5 cb 19
67 1a 7a a8 6d 82 0d 22 af 0b 8a 66 52 70 d7 01
4e 47 26 dc ee 14 36 63 16 86 03 fe ca 63 c7 1d
74 14 2e cc bc e1 e0 47 fb 80 bc 2a 26 b4 85 c3
3e 7d 01 89 ad bb eb 46 ed f4 cc 5c f8 55 3b a8
58 1d 4f 3b 5a 47 b7 cd d6 b4 d2 6b bf a8 48 57
8a 85 ac c9 f8 dd ba ef 17 e6 36 16 03 03 01 4d
0c 00 01 49 03 00 17 41 04 e6 47 c2 61 c4 0a 0d
73 58 45 ee a2 40 cd e5 93 10 41 87 b1 fc d4 0a
48 9d 05 8e 36 00 f0 b1 89 f5 a7 0d dc 5c d0 91
50 d3 fe 48 19 38 4b ad d3 27 79 6d d4 3a 0f cf
5e 67 2c eb 42 56 31 4b 35 06 01 01 00 56 42 d5
d9 32 5e 00 b8 f7 dd a1 a5 e3 a5 08 03 84 a4 30
fc 3b 6a fc 13 32 18 24 d8 34 dc 4a 03 7f 53 73
7f 36 7b a8 38 23 f7 95 8e 31 80 31 8b fa 5d d2
25 a5 9b 0a d6 a9 e2 98 50 92 e4 12 48 69 1e 64
31 d7 de 02 ee 4e db 42 8d 7d 45 2e 16 6c 1d d5
07 d5 6f 3a 22 3a 04 2c 74 51 69 4f fc f4 f9 6d
a2 e7 d2 43 d2 97 f4 d5 f7 e0 59 6b 3d 63 0b 97
10 59 1b 91 2a 69 c9 b9 9e ee a2 75 b9 40 71 51
f8 f3 7a d9 9c d6 b3 13 13 69 12 dc c8 a7 69 50
30 01 92 86 c0 f8 52 10 f8 0d 58 41 7b 5e bc 97
43 82 9c c4 98 76 54 ea dc e9 5f 30 17 33 53 fb
92 df ec 5b 99 5f e3 f4 59 09 84 af 1c e2 93 08
1e 9d 12 c7 d4 03 a7 c1 f6 16 77 54 29 1f 64 25
8f cf fb fd e2 90 4e 50 82 5f af 75 93 f1 d5 0e
bd 5a c6 69 fb 23 59 89 84 74 bb 25 b4 33 b1 7f
d7 a4 77 fe bb 7d 41 ba be ff 19 2d 62 16 03 03
00 04 0e 00 00 00
continue needed...
Received token (size=156):
60 81 99 06 09 2b 06 01 05 05 0f 01 01 12 06 01
80 00 00 04 00 00 00 84 02 04 00 84 15 00 16 03
03 00 46 10 00 00 42 41 04 bd bc 1a 91 b6 9a d4
dc 98 3f 65 59 59 d5 78 a9 cb c8 60 36 b4 15 1e
3c db 54 b6 43 a1 50 ef 0a 89 ae a3 a1 c3 68 df
8c c9 13 90 83 7d fa 94 90 41 97 61 0a 67 c7 19
ca 11 72 36 34 72 b6 95 a1 14 03 03 00 01 01 16
03 03 00 28 e0 7e de ef 92 db ae d0 70 f2 8b ee
db 87 c5 47 9e d2 af 9d 50 ab cf 4f 5f a5 a6 30
fc 60 fe 1e b5 cb 0e 8c 4a b1 9c 2a
Sending accept_sec_context token (size=84):
60 52 06 09 2b 06 01 05 05 0f 01 01 12 06 02 80
00 00 05 00 00 00 3d 01 05 00 3d 15 80 00 00 00
33 14 03 03 00 01 01 16 03 03 00 28 e5 c1 a4 50
31 85 cc c1 fc 78 33 4e a4 e4 ec 19 26 cc 78 5b
44 f7 8f ab ed 2e f4 fd 77 bf 38 13 62 1a 12 10
6e e9 64 fc
continue needed...
Received token (size=94):
60 5c 06 09 2b 06 01 05 05 0f 01 01 12 06 01 80
00 00 04 00 00 00 47 02 05 00 47 15 00 17 03 03
00 3c e0 7e de ef 92 db ae d1 f8 b2 47 c3 d9 f4
ac af b2 43 04 b0 cf 90 32 c2 f5 82 65 c6 f9 64
0c f4 9e a7 3a ed d6 37 99 44 fb 6e 01 8d 2a 75
23 e9 92 e8 00 f0 4b 6d 38 1f b0 1c 98 5d
Sending accept_sec_context token (size=86):
60 54 06 09 2b 06 01 05 05 0f 01 01 12 06 02 80
00 00 05 00 00 00 3f 01 06 00 3f 15 80 00 00 00
35 17 03 03 00 30 e5 c1 a4 50 31 85 cc c2 ab f9
c8 c2 fc f3 71 4c b1 4b 3e 04 ba fb a0 82 e7 dc
e7 b3 08 3a ab 7e 74 44 d8 4e 8a 7a 06 43 4a 11
c3 7b 05 b3 be 7f
continue needed...
Received token (size=126):
60 7c 06 09 2b 06 01 05 05 0f 01 01 12 06 01 80
00 00 04 00 00 00 67 02 06 00 67 15 00 17 03 03
00 5c e0 7e de ef 92 db ae d2 4f cd de 22 6e e0
da 51 14 e2 6c 77 28 19 59 dc dd 6b 62 a1 e5 10
f3 9d f9 e3 09 73 58 ec d9 44 15 35 3c 6d c1 aa
46 bf a6 be 04 35 a6 6c 2d 7e b7 78 a2 2c 66 8d
51 8d 9c 89 b5 86 8b f2 18 ef 1c 6b f3 bc ba 6f
ae bc 74 5d c7 af e0 90 90 3f d9 74 fa ea
Sending accept_sec_context token (size=106):
60 68 06 09 2b 06 01 05 05 0f 01 01 12 06 02 80
00 00 05 00 00 00 53 01 07 00 53 15 80 00 00 00
49 17 03 03 00 44 e5 c1 a4 50 31 85 cc c3 c0 e3
c5 ca f5 e7 af 76 ee e0 81 c5 c7 51 06 82 6a 58
a0 c9 e4 42 45 6f ef ad c8 04 83 aa 42 7d a6 a8
d9 c6 7a 1a 88 2f 86 18 c2 77 a0 d0 5a cb 86 de
ee aa 06 dd 60 9d 40 01 79 3f
continue needed...
Received token (size=29):
60 1b 06 09 2b 06 01 05 05 0f 01 01 12 06 01 80
00 00 04 00 00 00 06 02 07 00 06 15 00
2018-06-21 15:53:50 WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage
2018-06-21 15:53:50 WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
2018-06-21 15:53:50 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
Sending accept_sec_context token (size=27):
60 19 06 09 2b 06 01 05 05 0f 01 01 12 06 02 80
00 00 05 00 00 00 04 03 07 00 04
continue needed...
Received token (size=47):
60 2d 06 09 2b 06 01 05 05 0f 01 01 12 06 01 00
00 00 0c 00 00 00 04 00 00 00 02 80 00 00 0d 00
00 00 0c bc c7 48 bc 94 0e 78 a5 1c 20 fe 93
Sending accept_sec_context token (size=31):
60 1d 06 09 2b 06 01 05 05 0f 01 01 12 06 02 80
00 00 01 00 00 00 08 00 06 00 00 00 00 00 00
GSS-API error accepting context: A token had an invalid Message Integrity Check (MIC)
GSS-API error accepting context: Decrypt integrity check failed
Cheers Björn
__________________________________________
Paul Scherrer Institut
Björn Erik Abt
IT Security Officer
WHGA/U136
CH-5232 Villigen PSI
Telefon: +41 56 310 40 17
E-Mail: [log in to unmask]
-----Original Message-----
From: GOV-UK-REQUESTS [mailto:[log in to unmask]] On Behalf Of Stefan Paetow
Sent: Donnerstag, 21. Juni 2018 15:40
To: [log in to unmask]
Subject: FW: A token had an invalid Message Integrity Check (MIC)
Hi Björn,
Apologies for the late reply! That is odd.
Do you get a similar message if you use the classic gss-server and gss-client exchange (i.e. using gss-client on the client machine, whilst running gss-server on the server)?
Also, which OS is this? CentOS?
With Regards
Stefan Paetow
Consultant, Trust and Identity
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: [log in to unmask]
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
From: GOV-UK-REQUESTS <[log in to unmask]> on behalf of Abt Björn <[log in to unmask]>
Reply-To: Abt Björn <[log in to unmask]>
Date: Wednesday, 20 June 2018 at 14:40
To: <[log in to unmask]>
Subject: A token had an invalid Message Integrity Check (MIC)
Dear Moonshot-List,
I’m trying to setup a moonshot infrastructure and am failing with an openssh login.
The setup uses an rp-proxy to connect directly to an idp without a trust router:
openssh-client → openssh-server → rp proxy → idp
When connecting via ssh the moonshot-ui pops up and allows the selection of an identity to be sent.
The radsec communication and the authentication on the idp look fine AFAIK:
Access-Accept from idp:
(263) Sent Access-Accept Id 98 from 0.0.0.0:2083 to 129.129.230.131:59006 length 1262
(263) MS-MPPE-Recv-Key = 0x1c1acc12b842cc3eb6acb36bfac13eab194ea8278997e73017ea412287445f84
(263) MS-MPPE-Send-Key = 0xee3f19523b5051975cb5b429d71b30e807dd2596b7de789e333b781ef316284b
(263) EAP-Message = 0x03070004
(263) Message-Authenticator = 0x00000000000000000000000000000000
(263) Proxy-State = 0x30
(263) EAP-Channel-Binding-Message += 0x02001901a406686f7374a5136d6f6f6e73686f7430312e7073692e6368
(263) SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2018-06-20T13:53:39" ID="7824c02a-6d7d-42e4-9d97-db85db5eaa35" Version="2.0">'
(263) SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:umbrellaid.org</saml:Issuer><saml:AttributeStatement>'
(263) SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid">'
(263) SAML-AAA-Assertion += '<saml:AttributeValue>flowback</saml:AttributeValue>'
(263) SAML-AAA-Assertion += '</saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.42750.1.1.1" FriendlyName="EAAHash">'
(263) SAML-AAA-Assertion += '<saml:AttributeValue>XXXXXXXX-XXXX-XXXXX-XXXX-XXXXXXXXXXXX</saml:AttributeValue>'
(263) SAML-AAA-Assertion += '</saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.42750.1.1.3" FriendlyName="EAAKey">'
(263) SAML-AAA-Assertion += '<saml:AttributeValue> XXXXXXXX-XXXX-XXXXX-XXXX-XXXXXXXXXXXX </saml:AttributeValue>'
(263) SAML-AAA-Assertion += '</saml:Attribute></saml:AttributeStatement></saml:Assertion>'
(263) Moonshot-Host-TargetedId = [log in to unmask]
(263) Finished request
And also the rp proxy returns an Access-Accept after a user mapping via a database:
(79) Sent Access-Accept Id 0 from 0.0.0.0:2083 to 129.129.230.132:40376 length 0
(79) MS-MPPE-Recv-Key = 0x1c1acc12b842cc3eb6acb36bfac13eab194ea8278997e73017ea412287445f84
(79) MS-MPPE-Send-Key = 0xee3f19523b5051975cb5b429d71b30e807dd2596b7de789e333b781ef316284b
(79) EAP-Message = 0x03070004
(79) Message-Authenticator = 0x16dc64fef42441fe37d0150c9053bb7f
(79) EAP-Channel-Binding-Message = 0x02001901a406686f7374a5136d6f6f6e73686f7430312e7073692e6368
(79) Moonshot-Host-TargetedId = "[log in to unmask]"
(79) SAML-AAA-Assertion = "<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" IssueInstant=\"2018-06-20T13:53:39\" ID=\"76ca4f39-da9c-4b1d-bb2f-553a48537184\" Version=\"2.0\">"
(79) SAML-AAA-Assertion += "<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>"
(79) SAML-AAA-Assertion += "<saml:AttributeStatement>"
(79) SAML-AAA-Assertion += "<saml:Attribute NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\">"
(79) SAML-AAA-Assertion += "<saml:AttributeValue>bjoern</saml:AttributeValue>"
(79) SAML-AAA-Assertion += "</saml:Attribute></saml:AttributeStatement>"
(79) SAML-AAA-Assertion += "</saml:Assertion>"
(79) User-Name = "bjoern"
(79) Finished request
But on the openssh-server I get:
debug1: A token had an invalid Message Integrity Check (MIC)
Decrypt integrity check failed
While on the openssh-client I get:
debug1: Received GSSAPI_CONTINUE
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
debug3: send packet: type 31
ssh_packet_read: Connection closed
Attached you will find the output from an “ltrace -C -l '*mech_eap*' -f /usr/sbin/sshd -ddd -p 6969” command.
Does anyone have a clue what I’m doing wrong?
Best regards
Björn
__________________________________________
Paul Scherrer Institut
Björn Erik Abt
IT Security Officer
WHGA/U136
CH-5232 Villigen PSI
Telefon: +41 56 310 40 17
E-Mail: [log in to unmask]
To unsubscribe from the MOONSHOT-COMMUNITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT-COMMUNITY&A=1
########################################################################
To unsubscribe from the MOONSHOT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT&A=1
########################################################################
To unsubscribe from the MOONSHOT-COMMUNITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT-COMMUNITY&A=1
########################################################################
To unsubscribe from the MOONSHOT-COMMUNITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT-COMMUNITY&A=1
########################################################################
To unsubscribe from the MOONSHOT-COMMUNITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MOONSHOT-COMMUNITY&A=1
